phoenix-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Josh Elser (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (PHOENIX-3598) Enable proxy access to Phoenix query server for third party on behalf of end users
Date Tue, 21 Mar 2017 03:19:41 GMT

    [ https://issues.apache.org/jira/browse/PHOENIX-3598?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15934029#comment-15934029
] 

Josh Elser commented on PHOENIX-3598:
-------------------------------------

{code}
+    public String extractRemoteUser(HttpServletRequest request) throws Exception {
+      if (request.getParameter("doAs") != null) {
+        String doAsUser = request.getParameter("doAs");
+        UserGroupInformation proxyUser = UserGroupInformation.createProxyUser(doAsUser, serverUgi);
+
+        // Check if this user is allowed to be impersonated.
+        // Will throw AuthorizationException if the impersonation as this user is not allowed
+        ProxyUsers.authorize(proxyUser, request.getRemoteAddr(););
+        this.remoteUserExtractor = new HttpQueryStringParameterRemoteUserExtractor();
{code}

This needs to be done via explicit configuration. Otherwise, it's introducing a security hole.

{code}
+      } else {
+        this.remoteUserExtractor = new HttpRequestRemoteUserExtractor();
+      }
{code}

This is creating a new object unnecessarily for every request to PQS which is bad. Just create
a single instance in the constructor.

> Enable proxy access to Phoenix query server for third party on behalf of end users
> ----------------------------------------------------------------------------------
>
>                 Key: PHOENIX-3598
>                 URL: https://issues.apache.org/jira/browse/PHOENIX-3598
>             Project: Phoenix
>          Issue Type: Improvement
>            Reporter: Jerry He
>            Assignee: Shi Wang
>         Attachments: 0001-PHOENIX-3598.patch
>
>
> This JIRA tracks the follow-on work of CALCITE-1539 needed on Phoenix query server side.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Mime
View raw message